1.Is there a way for me to figure the attacker IP address
2.What kind of kind of crack the hacker trying in my zimbra
3. If I upgrade my zimbra would this problem disappear

that's all from me thank you very much for you answer

09-12-2012, 03:32 AM

Paul Csiki

1. On the first look it seems that his ip is: ip=192.168.101.99;
2. Also the kind of attack is bruteforce or dictionary attack by the way it looks.
3. No

Don't worry, we have millions of attacks like this on our servers and we are just fine, zimbra will automagically block the account to prevent the password being bruteforced and our engineers just filter our the IP addresses in iptables once in a while.

09-12-2012, 06:46 PM

samuel sapp

hi thank for your reply,
the ip is my own zimbra machine, that's why I cannot figure out what is the actual attacker ip address, actually this kind of attacking is annoying, user often complaining about the account being lock.

Can you share with us how is your engineer figure it out to find out the attacker IP address when this kind of attack occurs in your machine, or the method your engineer using

Following the basics, i mean, using https, strong passwords and educating users about security eg phishing, you could be "safe".

Regarding block manually through iptables, you have to know yet... it's a never ending work.

Also, you surely know about RBL's.

ccelis

10-19-2012, 09:27 PM

justdave

Quote:

Originally Posted by ccelis5215

Hello Victor, there's no "automagically lock".

That's not quite true. There's nothing provided by Zimbra, but there are third-party tools that'll do it. You probably want to look into something like fail2ban or denyhosts. I know you can create user-defined rules in fail2ban for what logfiles to read and what patterns to match in them to determine an IP to block. You can also configure how to do the blocking (add to /etc/hosts.deny, block the IP in iptables, run some arbitrary script that does something else you want, etc).

Trying to explain how to use those tools is probably beyond the scope here... they have their own communities where questions can be asked.

10-20-2012, 02:32 AM

Paul Csiki

Hello,

Well on my zimbra installation if a user tries too many passwords over an account, that account gets lockout. Correct me if I'm wrong.

10-20-2012, 02:43 AM

justdave

Quote:

Originally Posted by Paul Csiki

Well on my zimbra installation if a user tries too many passwords over an account, that account gets lockout. Correct me if I'm wrong.

And that's exactly why he has an issue (from what I'm understanding of his complaint here so far). His real users are getting locked out because someone is trying to brute-force their accounts. So he needs to block the IP addresses of the brute force attack so his real users can log in.

10-20-2012, 08:49 PM

ccelis5215

Quote:

Originally Posted by justdave

And that's exactly why he has an issue (from what I'm understanding of his complaint here so far). His real users are getting locked out because someone is trying to brute-force their accounts. So he needs to block the IP addresses of the brute force attack so his real users can log in.